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Opera tion BOT ROAST 


Operation BOT ROAST 


Botnet Initiative National Takedown 
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Answer: Botnet Task Force 


October 2006 


~ Botnet Task Force 
discusses plans 
for a coordinated 
takedown 


~ Multi-National 
takedown 


~ Extremely 
difficult 


March 2007 


~ FBI Cyber Division 
initiates National 
Botnet Takedown 
Operation 


~ Operation BOT 
ROAST 

‘| *< Operation is small in 

{| nature, 

approximately four 

(4) field offices 
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__.Qperation BOT ROAST: 
og Players 


a FBI 
x CART- Forensics 
™ General Counsel 
Internet Crime 
Complaint Center 
«US Department of 
Justice 


>< Computer Crimes 
& Intellectual 
Property 
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Ah ee, Battlefield 
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A Si mitigation = Difficult 
Q ‘ScCoordination = = Challenging 
QVverone million victim IP 
dddresses 

Thqusands of fraud malware 
Very little botnet C&C malware 
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_ erigaging the 
Botherders 

x Show industry 
and ilaw 
enfdircement are 
joining forces 


~ Operation BOT ROAST: 
ty Mitigation 


ee fy * difficult task 


(s0¢Re=focused on botnet crimes law 
er nforcement could prosecute 

+ Follow on botnet activity through 

follow-on Investigations 


1 Clafadestine meeting with industry 
to discuss strategy 


Bx Ongoing Operation 


— 


iinet ta a ers eben een “i ana Rpm ae 


. Operation BOT ROAST: 
Coordination 


x scheduled conference calls appx every 
three weeks. 


\ x Two months scheduled to execute 
Opelintion BOT ROAST 


Cyber Division 


Media/Press 


Office of Victim | 
Assistance 


Industry 


awk Operation BOT ROAST: 
Vietion Identification Notification 


, dew iv does one ideniify and notify 
SOy ihe million victim IP addresses? 


# ’piscources to identify 
Dt (Resources to notify 
«Varying categories of victims 


cn cee erm nahi Rer imminent ABnint Nsw a Athi Som Zarek Fe = sae cerita ata te EAPO METER Komrmarmrmeeen * es 


Four Categories of Victims 


arnet Services Providers 
ne Institutions 


a oll providers 
pa Foreign Government 
+ Foreign ISP 


Two Wave Process: 
Victim Notification 


x First Wave: 

x Provide IP 
addresses to 
potential victims 

™ Organization 

confirms it’s a 
victim 

x Second Wave: 


< Provide victim | 
assistance | 


Flan with Industry 


Close coordination with National 
| Press. Office 


. Operation BOT ROAST: 
Ongoing Operations 


~ Continuing: 
x Victim Notification 
+ Malware Analysis 
x Data 
Dissemination 
~ Investigations 
+ Prosecution 
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: -oreninteate clearly with brevity 
\ x Erisure all parties are participating 
: 5 You cannot please everyone 
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